GDPR: Are You Ready?
In just over a month, the General Data Protection Regulation (GDPR) (EU) 2016/679 will be implemented. Philip Fisher outlines what practices must do before the deadline.
Given the fact that accountants are ordered and organised people, it would be nice to imagine that every reader is sick to death of the subject and each practice in the country is already set up to operate within the regulations, following a smooth transition in a fortnight’s time.
In reality, life is not like that. While the majority of practices will have everything in place by the deadline, I would not be surprised to learn that a significant percentage has barely started its preparations yet, happily using that popular accounting principle – leave everything to the last minute.
There is an extra provocation for approximately half of the population, including many accountants, given that this regulation has been handed down by the European Parliament and Council; organisations so hateful that they have forced the UK to depart from its long association with our neighbours across the English Channel.
Unfortunately, at present, there is no exemption from legislation on the basis that it has been laid down by the EU. Although that (or its equivalent) will come in time. Even so, our own dear government, which rails against euro red tape on a regular basis, seems to have no immediate plans to overturn GDPR.
Having said that, many might argue that there would be a strong justification for considering such action given that implementation will undoubtedly be an administrative nightmare, especially for smaller organisations including most accounting firms.
The consequence is that we will have to like it and lump it, which means ensuring that potentially substantial and robust internal structures must be in place by 25 May.
Many readers might now be moving on to the next article on the basis that they are smugly grinning like Cheshire cats in the knowledge that their GDPR strategy has been in place for months. For anyone left, here is a brief rundown.
At a headline level, it will be necessary to comply with the following matters.
- There must be a lawful basis for processing data. In reality, in the profession, this will almost always mean that advance consent to the processing of personal data for at least one specific purpose has been obtained.
- Such consent must be explicit to the data collected. Going a stage further, data controllers must be able to prove consent, which may be withdrawn at any time.
- Mirroring the money laundering legislation, it will be necessary to appoint a data protection officer. They will need specific training, particularly around data security including dealing with cyber attacks and attaining a full understanding of how to deal with personal and sensitive data, of which there could be much in our sector. Make no mistake, at times this will be an onerous role, even for those trained in the skills of auditing, particularly at implementation but also occasionally on an ongoing basis. Therefore in most firms, a whole team will be needed to ensure compliance.
- Data protection must be designed into the development of business processes with privacy settings at a high level to ensure that the whole process complies with the regulation and that data is not processed unless strictly necessary.
- Data breaches will clearly be one of the most important areas with which the data protection officer will have to deal.
- Clients and staff members whose personal data records are held must be given a right of access and a right of erasure in certain circumstances.
- There is an obligation to keep records of processing activities ready for auditors.
We all love sticking our heads in the sand and in many cases, never suffer as a result of doing so. However, in this case, it might not be the best policy given the swingeing sanctions for those who fail to comply.
While we can all probably put up with the occasional warning for a first offence or non-intentional failure to comply and would expect to face regular data protection audits, things get considerably worse.
Potentially if there is a breach your firm could be subject to a fine equal to the greater of up to €20m or up to 4% of the annual worldwide turnover of the preceding financial year in respect of certain provisions and half of these levels for less serious offences.
This is only a brief guide. The best bet for last-minute managers is to head to AccountingWEB’s GDPR hot topics section. This provides a complete lowdown on the obligations and the least painful way of ensuring that your practice does not fall foul of the new law.